{"id":194,"date":"2026-04-29T05:52:22","date_gmt":"2026-04-29T05:52:22","guid":{"rendered":"https:\/\/blog.osto.one\/?p=194"},"modified":"2026-05-05T10:11:31","modified_gmt":"2026-05-05T10:11:31","slug":"hipaa-business-associate-agreement-hospitals","status":"publish","type":"post","link":"https:\/\/www.osto.one\/resources\/blog\/hipaa-business-associate-agreement-hospitals\/","title":{"rendered":"The HIPAA Business Associate Agreement: What Hospitals Actually Read Before Signing"},"content":{"rendered":"

For most healthtech founders, the Business Associate Agreement is a document they need to sign before a hospital will work with them. That’s a reasonable way to understand it. What’s less understood is what the BAA actually means legally, what hospitals are specifically looking for when they review it, and what the common friction points are that delay deals by months.<\/p>\n

Understanding the BAA changes how you sell into healthcare. It’s not a formality to push through legal. It’s the document that defines your liability exposure with PHI, and the way you approach it signals to the hospital whether you understand what you’re getting into.<\/p>\n

What a BAA actually is<\/h2>\n

Under HIPAA, covered entities \u2014 hospitals, health plans, and healthcare providers \u2014 can only share Protected Health Information with Business Associates who have signed a compliant BAA. If your healthtech product creates, receives, maintains, or transmits PHI on behalf of a covered entity, you are a Business Associate. The BAA is mandatory, not optional.<\/p>\n

The BAA specifies: what PHI you can use and for what purposes, your obligation to implement safeguards, your responsibility to report breaches to the covered entity and their timeline expectations for that notification, your obligation to pass down equivalent protections to any subprocessors who touch PHI, and what happens to PHI when the relationship ends.<\/p>\n

<\/p>\n

\n

Signing a BAA creates real legal accountability. If you experience a breach of PHI traceable to your failure to implement the safeguards described in the BAA, you face direct exposure under HIPAA. Penalties up to $1.9 million per violation category per year, plus civil litigation from affected patients.<\/p>\n<\/div>\n

This is why the hospital’s legal team reads it carefully. And why you should too.<\/p>\n

What hospitals focus on when they review your BAA<\/h2>\n

<\/p>\n

\n
\n
\n 1<\/span><\/p>\n
Breach notification timeline<\/div>\n<\/p><\/div>\n

HIPAA requires Business Associates to notify covered entities ‘without unreasonable delay and in no case later than 60 calendar days after discovery.’ Most hospitals want a much shorter commitment in the contract \u2014 24 to 48 hours for initial notification of a suspected breach. This is where the most negotiation happens. The hospital wants fast notification because they have their own HIPAA obligations to patients and potential HHS reporting requirements. If you notify them on day 58, they have two days to notify potentially thousands of patients.<\/p>\n<\/p><\/div>\n

\n
\n 2<\/span><\/p>\n
Scope of permitted use<\/div>\n<\/p><\/div>\n

Hospitals are specific about what you can do with their patients’ PHI. Using it to provide the contracted service: permitted. Using it to improve your AI model, train on patient cohorts, or aggregate for research: requires explicit permission in the BAA or a separate data use agreement. Several healthtech companies have run into significant problems by training AI models on patient data under BAAs that didn’t explicitly permit it.<\/p>\n<\/p><\/div>\n

\n
\n 3<\/span><\/p>\n
Subprocessor disclosure<\/div>\n<\/p><\/div>\n

Hospitals want to know who else touches their patients’ data. Your AWS environment, your database, your monitoring platform, your analytics service. Each one is a subprocessor. Hospitals increasingly require disclosure of key subprocessors by name, especially cloud providers.<\/p>\n<\/p><\/div>\n

\n
\n 4<\/span><\/p>\n
Termination and data return<\/div>\n<\/p><\/div>\n

When the relationship ends, what happens to PHI? ‘Within 30 days of termination’ is a common commitment. If you’re operating a platform where PHI destruction would affect the service for other covered entities, this section gets complicated and needs careful drafting.<\/p>\n<\/p><\/div>\n<\/div>\n

Your BAA or theirs<\/h2>\n

Most hospitals have their own BAA templates and prefer to use them. Their lawyers drafted their template with their specific obligations and preferences in mind. The problem for an early-stage healthtech company is that hospitals’ templates often include indemnification and liability terms that are heavily weighted toward the hospital.<\/p>\n

Having your own BAA template, pre-approved by healthcare counsel, creates a different dynamic. It signals that you’ve done this before. It gives legal teams something to compare against. And your template likely has more balanced indemnification and liability terms.<\/p>\n

<\/p>\n

\n

The three things BAA negotiations almost always come down to:<\/p>\n